Re: Xen security updates on Wheezy

To: Brian May <bam@debian.org>, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, Guido Günther <agx@sigxcpu.org>
Subject: Re: Xen security updates on Wheezy
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 07 Apr 2016 15:02:37 -0400
Message-id: <[🔎] 871t6hs0mq.fsf@angela.anarcat.ath.cx>
In-reply-to: <87vb49242c.fsf@prune.linuxpenguins.xyz>
References: <871t6z93qo.fsf@angela.anarcat.ath.cx> <87vb49242c.fsf@prune.linuxpenguins.xyz>

On 2016-03-26 01:36:43, Brian May wrote:
> Antoine Beaupré <anarcat@orangeseeds.org> writes:
>
>> They seem to hold, although I have yet to test them in production. One
>> thing I noticed is that they don't seem to fix CVE-2015-8104 and
>> CVE-2015-5307, ie. that the patches you posted in
>> <87d1qvvzhi.fsf@prune.linuxpenguins.xyz> were not factored into the
>> package. That would seem to be important (and maybe we could push those
>> back towards the Ubuntu folks as well).
>
> That is correct, I had two patches previously that I did not incooporate
> yet:
>
> -rw------- 1 brian brian 5277 Mar 26 16:26 CVE-2015-2752.diff
> -rw------- 1 brian brian 4666 Mar 26 16:26 CVE-2015-8104+CVE-2015-5307.patch
>
> I believe CVE-2015-2752.diff is already patched in the Ubuntu version,
> so we don't need to worry it.

Those two patches actually *are* in the patch series in the packages you
built, as xsa125-4.2.patch and xsa156-4.2.patch, respectively. So
obviously, those patches don't apply. :)

In other words, I believe your package build is complete.

> Curiously the Ubuntu version declares it has fixed CVE-2015-5307 but not
> CVE-2015-8104 - so it is possible this means the above patch will not
> apply cleanly.

Hmm... maybe an oversight on their part. XSA-156 is composed of two
distinct vulnerabilities which got assigned the two CVEs above. The
xsa156-4.2.patch explicitly fixes both of those issues.

> Then there are just these three CVEs unaccounted for (and possibly don't
> matter):
>
>             - CVE-2014-5146 (marked No DSA)
>             - CVE-2014-5149 (marked No DSA)
>             - CVE-2014-8341 (marked No DSA)

I assume you mean CVE-2015-8341 for the latter. :) For that one, i
agree with no-dsa, it may be even not-affected, actually.

For the other two, I am not sure. Given the number of fixes we are
backporting, however, i am tempted to agree with the assesment ("too
intrusive to backport"), given the lag we're having with all this. 

I also note that 3 more vulnerabilities came up in Xen since I looked at
this, so I need to sit down to filter through those again.

I'll send a debdiff when i'm done.

A.

-- 
It is the greatest of all mistakes to do nothing because you can only
do little. Do what you can.
                         - Sydney Smith

Reply to:

Prev by Date: First test package to close #762594
Next by Date: Re: nss security wheezy updates ready for testing
Previous by thread: First test package to close #762594
Next by thread: Who is attending DebConf?
Index(es):
- Date
- Thread